{"id":1277,"date":"2017-02-04T14:15:57","date_gmt":"2017-02-04T12:15:57","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1277"},"modified":"2017-02-04T14:15:57","modified_gmt":"2017-02-04T12:15:57","slug":"pax-utils-dumpelf-two-invalid-memory-read-in-dumpelf-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/04\/pax-utils-dumpelf-two-invalid-memory-read-in-dumpelf-c\/","title":{"rendered":"pax-utils: dumpelf: two invalid memory read in dumpelf.c"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"https:\/\/gitweb.gentoo.org\/proj\/pax-utils.git\">pax-utils<\/a> is a set of tools that check files for security relevant properties.<\/p>\n<p>A fuzz on scanelf exposed two invalid memory read. They was reported to vapier which fixed the issue immediately.<br \/>\nUnfortunately I can&#8217;t get a symbolized ASan stacktrace, so I will show only the useful part of both asan and gdb.<\/p>\n<pre><font size=\"2\"># dumpelf $FILE\r\n  SEGV on unknown address 0x7f8d94dc9e28 (pc 0x00000051efc6 bp 0x7ffe15ddbfa0 sp 0x7ffe15ddbf60 T0)\r\n==31647==The signal is caused by a READ memory access.\r\n\r\n(gdb)\r\n#0  0x00000000004067f7 in dump_dyn (dyn_void=dyn_void@entry=0x7ff5f7ff6e28, dyn_cnt=dyn_cnt@entry=0, elf=0x60d8e0, elf=0x60d8e0) at dumpelf.c:486\r\n#1  0x0000000000401e24 in dumpelf (file_cnt=0, filename=) at dumpelf.c:146\r\n#2  parseargs (argv=0x7fffffffe1a8, argc=2) at dumpelf.c:557\r\n#3  main (argc=2, argv=0x7fffffffe1a8) at dumpelf.c:566\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00140-pax-utils-dumpelf-invalidread-dump_dyn\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00140-pax-utils-dumpelf-invalidread-dump_dyn<\/a><\/p>\n<pre><font size=\"2\"># dumpelf $FILE\r\nSEGV on unknown address 0x6360e1292000 (pc 0x00000051fba9 bp 0x7ffeef817f20 sp 0x7ffeef817ec0 T0)\r\n==8213==The signal is caused by a READ memory access.\r\n\r\n(gdb)\r\n#0  dump_notes (B=B@entry=64, memory=memory@entry=0x63fff7ff5000, memory_end=0x6414f7ff5000, elf=0x60d8e0, elf=0x60d8e0) at dumpelf.c:228\r\n#1  0x0000000000405636 in dump_phdr (elf=elf@entry=0x60d8e0, phdr_void=phdr_void@entry=0x7ffff7ff50f0, phdr_cnt=phdr_cnt@entry=1) at dumpelf.c:324\r\n#2  0x0000000000401dd9 in dumpelf (file_cnt=0, filename=) at dumpelf.c:91\r\n#3  parseargs (argv=0x7fffffffe1a8, argc=2) at dumpelf.c:557\r\n#4  main (argc=2, argv=0x7fffffffe1a8) at dumpelf.c:566\r\n<\/font><\/pre>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00141-pax-utils-dumpelf-invalidread-dump_notes\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00141-pax-utils-dumpelf-invalidread-dump_notes<\/a><\/p>\n<p><strong>Affected version:<\/strong><br \/>\n1.2.2<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/gentoo\/pax-utils\/commit\/18ded0e30ee5a84260cceb80d818b9c21ade4c76\">https:\/\/github.com\/gentoo\/pax-utils\/commit\/18ded0e30ee5a84260cceb80d818b9c21ade4c76<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-01-30: bug discovered and reported to upstream<br \/>\n2017-02-01: upstream released a patch<br \/>\n2017-02-04: blog post about the issue<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><br \/>\nhttps:\/\/blogs.gentoo.org\/ago\/2017\/02\/04\/pax-utils-dumpelf-two-invalid-memory-read-in-dumpelf-c<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: pax-utils is a set of tools that check files for security relevant properties. A fuzz on scanelf exposed two invalid memory read. They was reported to vapier which fixed the issue immediately. Unfortunately I can&#8217;t get a symbolized ASan &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/04\/pax-utils-dumpelf-two-invalid-memory-read-in-dumpelf-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-kB","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1277"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1277"}],"version-history":[{"count":2,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1277\/revisions"}],"predecessor-version":[{"id":1287,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1277\/revisions\/1287"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1277"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1277"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1277"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}